Rapid7 Blog

POST STATS:

SHARE

Happy Friday, federal friends! Spring has Sprung! While some of us had a touch of winter this week, we avoided the big hit and it looks like nothing but sunshine on the horizon which means summah is around the corner! Speaking of summer, who's going to Vegas for BackHat, B-Sides and Defcon? Drop me a line here if you are!

Attackers, being the solid humans they are, have decided to pile on the recent tragedy around Malaysian Flight MH 370. In the wake of this aviation disaster, FireEye has issued a report in their blog around two known spear-phishing attacks targeting government institutions and think tanks. The report states that a foreign government in Asia Pacific was the target of a campaign involving a .doc attachment that triggered background code and dropped a variant of Poison Ivy into the affected machine. The doc they used appeared to contain information pertaining to the flight and given the flurry of misinformation coming from multiple sources this nasty little attachment was bound to be clicked. Especially since it was sent 2 days after MH 370 went missing. However the decoy they used was actually blank, which could indicate that this campaign was pushed out in a hurry to capitalize on the chaos immediately after the disappearance. FireEye documented that they've seen this tactic before and from the same group, which they have named Admin@338.

In a second related attack, Admin@338 targeted a major U.S. based think-tank a few days later. Their tactics here were a little more sophisticated as the attachment appeared to be a video clip from CNN with information relating to the incident. They even went as far as to disguise the malware-laced-attachment by using a Flash icon to the executable. The malware in this instance, while still delivering Poison Ivy, actually ended up behaving slightly different than the earlier attack by utilizing a feature only available beginning with Windows 7. The silver lining here? If you you are still running XP machines you simply need to reboot the machine as will mitigate the risk of this malware version. Noted in the FireEye report is the fact that this effort was more complex than a blank .doc file, it seemed rushed as well. Even though it was a full 6 days after MH 370 went missing, and some aspects of the campaign changed, the end result was still sloppy.

That being said, just because these were rushed and not overly sophisticated spear-phishing campaigns, it doesn't mean it won't affect your organization.

Another threat materialized within the last week from Microsoft and a Zero-Day affecting MS Word and Office. While this attack uses a complex chain of exploits, the kicker comes from Outlook. Simply previewing a malicious email can infect your computer with the Zero-Day, as Microsoft noted on Tuesday. This is a big issue because while this is geared for Word 2010 the same exploits lays in wait on the '03, '07, '13 and '13RT (for tablets running ARM processors). The exploit is launched via a sneaky RTF file, specially crafted for Outlook. While these exploits target a vulnerability that was not known until these attacks began, the exploit was discovered in a similar manner as a campaign that was launched last year. On top of all that, this Zero-Day targets both Windows and OSX creating a field of fire where just about everyone is in range.

Want more? Don’t miss these posts

Part of the Metasploit Framework, msfvenom is a command-line tool that helps penetration testers to generate stand-alone payloads to run on compromised machines to get remote access to the system. Msfvenom is a combination of two other Metasploit Framework tools: Msfpayload and Msfencode, which generate…

Metasploit Pro, Community, and Express users are urged to update to the latest version of Metasploit to receive the patch for the described vulnerability. Kali Linux users should use the normal 'apt-get update' method of updating, while other Metasploit Pro, Community, and Express users can…

Featured Research

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Toolkit

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Featured Research

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.